During a recent internal study, the Department of Homeland Security tested whether its employees were vulnerable to phishing, a tactic whereby hackers masquerade as a legitimate organization in an attempt to gain sensitive information. In a sample of almost a thousand people, more than 18 percent failed the test and clicked on a link that could have installed malware on their computers, says Doug Maughan, cybersecurity division director at Homeland Security Advanced Research Projects Agency.
This example showcases one area of cybersecurity that Maughan says DHS is paying more attention to in recent years and plans to direct more money to: the human element.
“We have spent 20-30 years…trying to solve the cybersecurity problem and never really thought about the human,” he says at the USENIX Security Symposium this month. “Our weakest link is the human.”
The Department of Homeland Security is tasked with securing federal civilian networks, empowering law enforcement, and it also plays an oversight role for private sector entities that deal with critical infrastructure like financial institutions. It needs new cyber tools that can help law enforcement agencies find those who are using the internet to conduct crime and bring them to justice, Maughan says.
“More and more criminals are going online using things like Tor and the dark web,” he says, referencing special networks used primarily for illicit activity and free software that allows individuals to use the internet anonymously. “Our law enforcement community doesn’t have the tools it needs to do its job in trying to track people in those types of those environments.”
However, many DHS requirements are much more mundane, such as the interplay between humans and cybersecurity, he says. “We ignored the human for way too long, and it has cost us.”
Identity management—the realm of cybersecurity concerned with how individuals protect data and personal information, such as with a password and biometrics—is another area where the department constantly seeks new and better technologies, he says.
“There’s no silver bullet here,” he says, adding that it’s a problem faced by both the private and public software. While a typical username/password combination can be breached more easily than other authentication tools, those more sophisticated methods might not be usable in an operational environment.
It also needs better ways to secure mobile devices and to ensure that software is free of vulnerabilities.
“I know you guys are all perfect, you all write great software and no one has any mistakes in their software, but we still have things like OPM,” he says, referring to the recent breach at the Office of Personnel and Management that affected more than 21 million individuals.